SEC545: Cloud Security Architecture and Operations Waitlist

Mon, February 18 - Fri, February 22, 2019

Dave brings enthusiasm and experience, the course content really shows how cloud can become a security-enabler within organizations! SEC545 is my Swiss knife for cloud security.

Jeroen Vandeleur, NVISO

One the best instructors Iíve ever had.

Anonymous

As more organizations move data and infrastructure to the cloud, security is becoming a major priority. Operations and development teams are finding new uses for cloud services, and executives are eager to save money and gain new capabilities and operational efficiency by using these services. But, will information security prove to be an Achilles' heel? Many cloud providers do not provide detailed control information about their internal environments, and quite a few common security controls used internally may not translate directly to the public cloud.

The SEC545 course, Cloud Security Architecture and Operations, will tackle these issues one by one. We'll start with a brief introduction to cloud security fundamentals, and then cover the critical concepts of cloud policy and governance for security professionals. For the rest of day one and all of day two, we'll move into technical security principles and controls for all major cloud types (SaaS, PaaS, and IaaS). We'll learn about the Cloud Security Alliance framework for cloud control areas, then delve into assessing risk for cloud services, looking specifically at technical areas that need to be addressed.

The course then moves into cloud architecture and security design, both for building new architectures and for adapting tried-and-true security tools and processes to the cloud. This will be a comprehensive discussion that encompasses network security (firewalls and network access controls, intrusion detection, and more), as well as all the other layers of the cloud security stack. We'll visit each layer and the components therein, including building secure instances, data security, identity and account security, and much more. We'll devote an entire day to adapting our offense and defense focal areas to cloud. This will involve looking at vulnerability management and pen testing, as well as covering the latest and greatest cloud security research. On the defense side, we'll delve into incident handling, forensics, event management, and application security.

We wrap up the course by taking a deep dive into SecDevOps and automation, investigating methods of embedding security into orchestration and every facet of the cloud life cycle. We'll explore tools and tactics that work, and even walk through several cutting-edge use cases where security can be automated entirely in both deployment and incident detection-and-response scenarios using APIs and scripting.

NOTICE: Additional Student Requirements:

An Amazon Web Services (AWS) account is required to do hands-on exercises during this course! The AWS account must be created prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class. For detailed instructions on setting up your account: https://www.sans.org/media/security-training/laptop/Creating_your_SEC545_AWS_Account.pdf

Course Syllabus

SEC545.1: Cloud Security Foundations

Overview

The first day of the class starts out with an introduction to the cloud, including terminology, taxonomy, and basic technical premises. We also examine what is happening in the cloud today, and cover the spectrum of guidance available from the Cloud Security Alliance, including the Cloud Controls Matrix, the 14 major themes of cloud security, and other research available.

Next we spend time on cloud policy and planning, delving into the changes an organization needs to make for security and IT policy to properly embrace the cloud. After all the legwork is done, we'll start talking about some of the main technical considerations for the different cloud models. We'll start by breaking down Software-as-a-Service (SaaS) and some of the main types of security controls available. A specialized type of Security-as-a-Service (SecaaS) known as Cloud Access Security Brokers (CASBs) will also be explained, with examples of what to look for in such a service. We'll wrap up with an introduction to Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) controls, which will set the stage for the rest of the class.

Exercises

Exploring AWS and Security

Evaluating Cloud Policies

Evaluating Cloud Contracts

Deploying and Securing Cloud Containers

SecaaS with Cloud Passage

CPE/CMU Credits: 6

Topics

Introduction to the Cloud and Cloud Security Basics

Cloud Security Alliance Guidance

Cloud Policy and Planning

SaaS Security

Cloud Access Security Brokers (CASBs)

Intro to PaaS and IaaS Security Controls

SEC545.2: Core Security Controls for Cloud Computing

Overview

The second day of SEC545 compares traditional in-house controls with those in the cloud today. Some controls are similar and mostly compatible, but not all of them. Since most cloud environments are built on virtualization technology, we walk through a short virtualization security primer, which can help teams building hybrid clouds that integrate with internal virtualized assets, and also help teams properly evaluate the controls cloud providers offer in this area. We'll then break down cloud network security controls and tradeoffs, since this is an area that is very different from what we've traditionally run in-house.

For PaaS and IaaS environments, it's critical to secure virtual machines (instances) and the images we deploy them from, so we cover this next. At a high level, we'll also touch on identity and access management for cloud environments to help control and monitor who is accessing the cloud infrastructure, as well as what they're doing there. We also cover data security controls and types, including encryption, tokenization, and more. Specific things to look for in application security are laid out as the final category of overall controls. We then pull it all together to demonstrate how you can properly evaluate a cloud provider's controls and security posture.

Exercises

Hypervisor Security

Setting Up VPCs and Cloud Networks

Configuration Control and Assessment with AWS Config

Cloud Risk Assessment

CPE/CMU Credits: 6

Topics

Cloud Security: In-House versus Cloud

A Virtualization Security Primer

Cloud Network Security

Instance and Image Security

Identity and Access Management

Data Security for the Cloud

Application Security for the Cloud

Provider Security: Cloud Risk Assessment

SEC545.3: Cloud Security Architecture and Design

Overview

Instead of focusing on individual layers of our cloud stack, we start day three by building the core security components. We'll break down cloud security architecture best practices and principles that most high-performing teams prioritize when building or adding cloud security controls and processes to their environments. We start with infrastructure and core component security - in other words, we need to look at properly locking down all the pieces and parts we covered on day two!

This then leads to a focus on major areas of architecture and security design. The first is building various models of access control and compartmentalization. This involves breaking things down into two categories: identity and access management (IAM) and network security. We delve into these in significant depth, as they can form the backbone of a sound cloud security strategy. We then look at architecture and design for data security, touching on encryption technologies, key management, and what the different options are today. We wrap up our third day with another crucial topic: availability. Redundant and available design is as important as ever, but we need to use cloud provider tools and geography to our advantage. At the same time, we need to make sure we evaluate the cloud provider's DR and continuity, and so this is covered as well.

Exercises

IAM within S3

EC2 and IAM Roles

Managing Cloud Instances with EC2 Systems Manager

Complex IAM with Container Secrets

Secure Network Architecture with Bastion Hosts

CPE/CMU Credits: 6

Topics

Cloud Security Architecture Overview

Cloud Architecture and Security Principles

Infrastructure and Core Component Security

Access Controls and Compartmentalization

Confidentiality and Data Protection

Availability

SEC545.4: Cloud Security - Offense and Defense

Overview

There are many threats to our cloud assets, so the fourth day of the course begins with an in-depth breakdown of the types of threats out there. We'll look at numerous examples. The class also shows students how to design a proper threat model focused on the cloud by using several well-known methods such as STRIDE and attack trees and libraries.

Scanning and pen testing the cloud used to be challenging due to restrictions put in place by the cloud providers themselves. But today it is easier than ever. There are some important points to consider when planning a vulnerability management strategy in the cloud, and this class touches on how to best scan your cloud assets and which tools are available to get the job done. Pen testing naturally follows this discussion, and we talk about how to work with the cloud providers to coordinate tests, as well as how to perform testing yourself.

On the defensive side, we start with network-based and host-based intrusion detection, and how to monitor and automate our processes to better carry out this detection. This is an area that has definitely changed from what we're used to in-house, so security professionals need to know what their best options are and how to get this done. Our final topics on day four include incident response and forensics (also topics that have changed significantly in the cloud). The tools and processes are different, so we need to focus on automation and event-driven defenses more than ever.

Exercises

Vulnerability Assessment with AWS Inspector

Cloud Threat Modeling

Deploying Kali in the Cloud for Pen Tests

flAWS: A Cloud-Based CTF

Logging and Events in the Cloud

CPE/CMU Credits: 6

Topics

Threats to Cloud Computing

Vulnerability Management in the Cloud

Cloud Pen Testing

Intrusion Detection in the Cloud

Cloud IR and Event Management

Cloud Forensics

SEC545.5: Cloud Security Automation and Orchestration

Overview

On our final day, we'll focus explicitly on how to automate security in the cloud, both with and without scripting techniques. We will use tools like the AWS CLI and AWS Lambda to illustrate the premises of automation, then turn our attention toward SecDevOps principles. We begin by explaining what that really means, and how security teams can best integrate into DevOps and cloud development and deployment practices. We'll cover automation and orchestration tools like Ansible and Chef, as well as how we can develop better and more efficient workflows with AWS CloudFormation and other tools.

Continuing some of the topics from day four, we will look at event-driven detection and event management, as well as response and defense strategies that work. While we won't automate everything, some actions and scenarios really lend themselves to monitoring tools like CloudWatch, tagging assets for identification in security processes, and initiating automated response and remediation to varying degrees. We wrap up the class with a few more tools and tactics, followed by a sampling of real-world use cases.

Exercises

AWS CLI Automation

Ansible Basics

Ansible Roles and Security

AWS CloudFormation

AWS CloudWatch

AWS Lambda Automation

CPE/CMU Credits: 6

Topics

Scripting and Automation in the Cloud

SecDevOps Principles

Creating Secure Cloud Workflows

Building Automated Event Management

Building Automated Defensive Strategies

Tools and Tactics

Real-World Use Cases

Class Wrap-Up

Additional Information

Laptop Required

SEC545 students will have the opportunity to install, configure, and utilize the tools and techniques that they have learned. You will be given a USB drive with three virtual machines, but it is critical that you have a properly configured system prior to class. Most labs are done online in the AWS Cloud.

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VMs to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements

System running Windows, Linux, or Mac OS X 64-bit version

At least 8 GB RAM

40 GB of available disk space (more space is recommended)

Administrator access to the operating system

Anti-virus software will need to be disabled in order to install some of the tools

An Amazon Web Services (AWS) account is required to do hands-on exercises during this course! The AWS account must be created prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class.

It is critical that your CPU and operating system support 64-bits so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Workstation Player 7 or higher versions on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

SEC545 Checklist:

I have confirmed that:

The system is running a 64-bit operating system

I have administrator access to the operating system

Anti-virus is disabled

The system includes a working USB port

I downloaded and installed the VMWare Workstation, Fusion, or Workstation Player

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Security Analysts

Security Architects

Senior Security Engineers

Technical Security Managers

Security Monitoring Analysts

Cloud Security Architects

DevOps and DevSecOps Engineers

System Administrators

Cloud Administrators

Prerequisites

A basic understanding of TCP/IP, network security, and security architecture are helpful for this course. Comfort with the command line is a must, as many exercises are conducted there (Linux command line skills are useful). Comfort with VMware virtualization is a plus.

You Will Receive With This Course

Several virtual machines that include a hypervisor, Ansible platform, and more

MP3 audio files of the complete course lectures

All policy and configuration files that can be used to automate security in AWS

Set up and use an enterprise automation platform, Ansible, to automate configuration and orchestration tasks

Use CloudWatch, CloudFormation, and other automation tools to integrate automated security controls into your cloud security program

Hands-on Labs

SEC545: Cloud Security Architecture and Operations reinforces knowledge transfer through the use of numerous hands-on labs. This approach goes well beyond traditional lectures and delves into literal application of techniques. Hands-on labs are held every day to reinforce the skills covered in class and to provide students experience with the tools used to implement effective security. The labs are designed to enable students to apply what they are learning in an instructor-led environment. Labs are wide-ranging and include:

Policy and governance labs

Security-as-a-Service labs

Architecture and design labs

Security automation labs

Offensive and defensive labs in the cloud

Log collection and review labs

Playing flAWS, a challenging cloud CTF

Author Statement

The cloud is happening - face it, security teams need to adapt to moving assets to the cloud, and it's happening fast. Unfortunately, many security teams aren't comfortable with the tools, controls, and design models needed to properly secure the cloud, and they need to get up to speed fast. In addition, many DevOps teams are building automated deployment pipelines, and security teams aren't integrated into those workflows. This class is going to help you. We'll take you from A to Z in the cloud, with everything ranging from policy, contracts, and governance to controls at all layers. We'll design cloud architectures, cover IAM and encryption, and look at how offense and defense differ in the cloud. We'll wrap it all up with automation tactics that will help you work effectively with the DevOps teams, and build a sustainable cloud security program in your environment.